b'August 29, 2008\n\nTHOMAS G. DAY\nSENIOR VICE PRESIDENT, INTELLIGENT MAIL AND ADDRESS QUALITY\n\nALEXANDER E. LAZAROFF\nCHIEF INSPECTOR, POSTAL INSPECTION SERVICE\n\nKATHLEEN AINSWORTH\nVICE PRESIDENT, RETAIL OPERATIONS\n\nJORDAN M. SMALL\nVICE PRESIDENT, DELIVERY OPERATIONS\n\nDEAN J. GRANHOLM\nACTING VICE PRESIDENT, NETWORK OPERATIONS MANAGEMENT\n\nSUBJECT: Audit Report \xe2\x80\x93 Identity Theft Potential in the Change of Address Process\n         (Report Number IS-AR-08-016)\n\nThis report presents the results of our audit of Identity Theft Potential in the Change of\nAddress (COA) Process (Project Number 08RG009IS000). Our objective was to\ndetermine if COA controls ensure that address change requests were properly\nauthorized and validated to minimize potential identity theft. This self-initiated audit\naddresses the operational risks associated with the U.S. Postal Service\xe2\x80\x99s COA process.\nClick here to go to Appendix A for additional information about this audit.\n\nConclusion\n\nThe Postal Service should improve controls to ensure proper authorization and\nvalidation of COA requests, which can be made via Internet Change of Address (ICOA),\nTelephone Change of Address (TCOA), and hard copy (Postal Service [PS] Form 3575,\nOfficial Mail Forwarding Change of Address Order, index cards, and letters). The ICOA\nand TCOA methods are operating as intended xxxxxx xxx xxxxxxxx xxxxxxxxxxx xxx\nxxx xx xxxxxxx xxxxxx xxxxx, xxxxx xxxxxxxxxxxxx xxx xxxxxxxxxx xxxxxxxx xxxxxx xx\nxxxxxxxx xxx xxx xxxx xxxx XXX xxxxxxx. In addition, monitoring controls surrounding\nthe COA complaints process should be improved. Strengthening these controls will\nfurther reduce weaknesses in the COA process that, if left unmitigated, could contribute\nto identity theft.\n\x0cIdentity Theft Potential in the Change of Address Process                                               IS-AR-08-016\n\n\n\n\nAuthentication of Internet and Telephone Change of Address Orders\n\nXxxxxxxxx xxxx xxxxxxx xxxxxx xxxxx xx x xxxxx xx xxxxxxxx xxxxxxxxxxxx1 xxxx\nxxxxxxxxxx xxxx xxx xxxx xxxxxx, xxxxxxxxxxxxx xxxxxxxxxxxxx xxx xxxxxxx\nxxxxxxxxxxxx xxxxxxxx. xxxxxxx, xxxxx xxxxxxx xxxxxx xxxxx xxxx xxx xxxxxxxxxx\nxxxx xxx xxxxxxxxxx xxx xx xxx xxxxxxxxx xx xxxxxxxx xx xxxxxx.2 xxxx xxxxxxxx\nxxxxxxx xxxxxxxxxx xxx xxx xxxxxx xxxx xxx xxxx xxxxxxxxxxxx xx xxxxxxxx xxx xxx xx\nxxxxxxxxx xxxxxxx xxxxxx xxxxx. xxxxxxxxx xxx xxxxxxxxxx xx xxxxxxxxx xxxxxxx\nxxxxxx xxxxx xxxx xxxxxxxxx xxxxxx xxxx xxx xxxx xxxxxx xxxxx xxxx xx xxxxxx xxxx\nxxxxxxxxxx xxxxxxxxxxx xxxxxx xxx xxxxxx. This will further reduce the risk of diverting\nmail to unauthorized addresses, which contributes to potential fraud, identity theft, and\nmonetary loss to customers. Click here to go to Appendix B for analysis of this topic.\n\nWe recommend the Senior Vice President, Intelligent Mail and Address Quality, direct\nthe Manager, Address Management, to:\n\n1. Update the Internet and Telephone Change of Address applications xx xxxxxxxxx\n   xxxxxxxxxx xx xxxxxxxxx xxxxxxx xxxxxx xxxxx.\n\nAuthentication of Hard Copy Change of Address Orders\n\nAuthorization and validation controls surrounding the hard copy COA process do not\nalways prevent the acceptance and processing of unauthorized COA requests. Unlike\nthe electronic COA processes, the hard copy COA process does not have sufficient\ncontrols in place to verify COA orders are legitimate and authorized by the owner of the\naddress. The Postal Service faces challenges to ensure a proper balance between\nproviding timely customer service and assuring proper customer authorization for the\nhard copy COA process. While policy indicates that employees should reject and return\norders with no signature to delivery units,3 in some cases orders without signature are\n\n1\n  . Postal Service policy requires the customer\xe2\x80\x99s credit card billing address to match either the customer\xe2\x80\x99s old or new\naddress. The eCapabilities and Paypal payment processing systems for ICOA and TCOA, respectively, interact with\nthe Address Verification System to ensure the customer\xe2\x80\x99s billing address matches the customer\xe2\x80\x99s old or new ZIP\nCode. xxxxxxxx xx xxx xxxxxxxxxxxx xx xxx xxx xxx xxx xxxxxxx xx xxx xxxxxxxx xxxxxxxxxxxx xxxxxxx. xxx xxx xx\nxxxxxxx xxxxxx xxxxx xxxxxxxxxxx xxxx xxxxxxx.\n2\n   Xxxxxxxx xxxxxxxxxx xx xxxxxxxxx xxxxxxx xxxxxxxx, xxxx xxx xxx xxxx xxxxxx xxxxxxx, xxxxx xxxx xx,xxxx,\nxxxxxxxx x, xxxxxx xxxx xxxxxxxxxx, xxx xxx, xxxx xxxx xxxxxxxxxx xxx xxxxxxxxx, xxxxx xxxxxxxxxxxx x xxxxxxxx\nxxxxxxxxxxxxx, xxxx xxxxxxx xxxxxx, xxxxx x, xxxxxxx xxxxxxxxxx, xxxxxxx x, xxxxxx xxxxxxxxxxxxxxxx xxx\nxxxxxxxxxx xxxxxxxxxxxx xxxxx.\n3\n   Handbook PO-250, Consumer Answer Book, Chapter 4, Section 4-4; Change of Address Forms Processing System\n(CFPS) Scanner Site Operations Training Course Operator/Supervisor Participant Handbook; and CFS Keying\nRules-Table B-2, Name and Data Information and Table C-1, Reject Reasons-Form Not Signed; U.S.C., Title 18, Part\n1, Chapter 63, Section 1342 (Fictitious Name or Address).\n\n3\n  Handbook PO-250, Consumer Answer Book, Chapter 4, Section 4-4; Change of Address Forms Processing System\n(CFPS) Scanner Site Operations Training Course Operator/Supervisor Participant Handbook; and CFS Keying\nRules-Table B-2, Name and Data Information and Table C-1, Reject Reasons-Form Not Signed; U.S.C., Title 18, Part\n1, Chapter 63, Section 1342 (Fictitious Name or Address).\n\n\n\n                                                          2\n\x0cIdentity Theft Potential in the Change of Address Process                                             IS-AR-08-016\n\n\n\nstill being processed. Additionally, we identified other issues with these forms, including\nsignature mismatches, and Postal Service employees\xe2\x80\x99 signatures or initials rather than\nthe customers\xe2\x80\x99. Ensuring proper authorization of these hard copy forms could prevent\nillegal diversion of mail, which could damage the postal brand and lead to identity theft.\nClick here to go to Appendix B for analysis of this topic.\n\nWe recommend the Vice President, Intelligent Mail and Address Quality, coordinate with\nthe Vice President, Retail Operations, the Vice President, Delivery Operations, and the\nVice President, Network Operations, to:\n\n2. Develop and implement a plan of action, with milestones, to enhance controls for\n   verifying that COA orders are legitimate and authorized by the owner of the address.\n\nEmployee Override of System Warnings\n\nComputerized Fowarding System (CFS) employees could override the Change of\nAddress Forms Processing System (CFPS) warning notification messages when\nmanually processing individual COA non-business move orders from a business\naddress. While CFPS procedures4 prohibit employees from processing these types of\nCOA orders, management instructed CFS employees to override this warning message\nand process these changes. Implementing stronger controls through supervisory\nreview and approval could mitigate opportunities for employee conflicts of interest and\nthe creation of false or fictitious COA orders, which could lead to identity theft and fraud.\nClick here to go to Appendix B for our detailed analysis of this topic.\n\nWe recommend the Vice President, Retail Operations, direct the Manager, Customer\nService Standardization, to:\n\n3. Implement supervisory review and approval for overriding system warnings when\n   processing individual Change of Address non-business move orders from a\n   business address and update procedures accordingly.\n\nContinuous Monitoring and Evaluation of Change of Address Complaints\n\nThe Postal Inspection Service was not regularly monitoring, evaluating, and notifying\nthe National Customer Support Center (NCSC) and customers regarding the status and\nresolution of potentially fraudulent COA complaints. Policy5 states promptness and\nresolution are indicators of increased customer satisfaction in the complaint process,\nand the referring offices should receive a letter for case closure. These issues occurred\nbecause the Postal Inspection Service had no policies or procedures for regularly\n\n4\n  CFPS Scanner Site, Operations Training Course, Operator/Supervisor Participant Handbook, Table C-1, Reject\nReasons.\n5\n  Postal Operations Manual, Issue 9, dated July 2002 (updated With Postal Bulletin revisions through January 17,\n2008), Sections 161, Consumer Services, Overview; and 167.34(e), Responding to Customer Comments and\nComplaints, By Letter.\n\n\n\n                                                         3\n\x0cIdentity Theft Potential in the Change of Address Process                                             IS-AR-08-016\n\n\n\nmonitoring, evaluating, or notifying the NCSC and customers concerning the status and\nresolution of potentially fraudulent COA complaints. Addressing COA complaints would\ncontribute to the protection of the Postal Service\xe2\x80\x99s brand, its commitment to protect\ncustomer information, and its efforts to combat identity theft. We will report this non-\nmonetary impact for goodwill/branding in our Semiannual Report to Congress. Click\nhere to go to Appendix B for our detailed analysis of this topic.\n\nWe recommend the Chief Inspector, Postal Inspection Service, direct the Inspector in\nCharge, Criminal Investigations, to:\n\n4. Investigate and provide timely feedback to the National Customer Support Center\n   and customers on all potentially fraudulent change of address complaints.\n\nWe recommend the Chief Inspector, Postal Inspection Service, and the Senior Vice\nPresident, Intelligent Mail and Address Quality, direct the Inspector in Charge, Criminal\nInvestigations, and Manager, Address Management, respectively, to:\n\n5. Coordinate, develop, and implement policies and procedures for regularly monitoring\n   and evaluating all potentially fraudulent COA complaints.\n\nProcessing Move Validation Letters in Response to Change of Address Orders\n\nGenerally, we found the Postal Service provides Move Validation Letters (MVLs) to\ncustomers in a timely manner. However, we found 230 occurrences where the agency\nprocessed MVLs outside the established timeframe6 of 3 to 10 days, out of 78,389 COA\nrequests filed by customers between April 8 and 13, 2008. This occurred because the\nPostal Service did not align its MVL processing time with FedEx\xe2\x80\x99s delivery schedule.7\nCOA data losses and system processing issues at CFS sites and Remote Encoding\nCenters (REC) also contributed to the delays. Although the 230 exceptions represent a\nsmall percentage of the total processed, providing MVLs to customers in a timely\nmanner decreases the likelihood of false or fraudulent COAs contributing to identity\ntheft.\n\nDuring the audit, management changed its MVL processing schedule to align with\nFedEx\xe2\x80\x99s delivery schedule, and as a result, we are not providing a recommendation\nregarding this condition. However, we are providing a recommendation to minimize\nCOA data losses and system processing issues to ensure MVLs are provided to\ncustomers on a timely basis. Click here to go to Appendix B for our detailed analysis of\nthis topic.\n\n\n\n\n6\n Handbook PO-250, Consumer Answer Book, Chapter 4, Section 4-3, Confirmation Letter.\n7\n The NCSC utilizes the services of FedEx for transporting MVLs to the delivery points on a 6-day schedule.\nHowever, NCSC only operates on a 5-day schedule to create and process MVLs.\n\n\n\n                                                         4\n\x0cIdentity Theft Potential in the Change of Address Process                    IS-AR-08-016\n\n\n\nWe recommend the Senior Vice President, Intelligent Mail and Address Quality, direct\nthe Manager, Address Management, to:\n\n6. Coordinate and implement procedures for minimizing Change of Address data\n   losses and system processing issues to ensure the Move Validation Letters are\n   provided to customers in the 3- to 10-day timeframe.\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with all six recommendations. Regarding recommendation 1, the\nManager, Address Management, will work with the Assistant Treasurer, Payment\nTechnologies, and their strategic alliance partner, Imagitas, Inc., to update the ICOA\napplication xx xxxxxxxx xxxxxxxxxx xx xxxxxxxxx xxxxxxx xxxxxx xxxxx. In addition, the\nManager, Address Management; the Assistant Treasurer, Payment Technologies; the\nManager, Corporate Customer Contact; and the supplier, Convergys PayPal, will work\ntogether to update the TCOA application. The completion date for updating both\napplications is March 31, 2009.\n\nFor recommendation 2, the Manager, Address Management, will coordinate with the\nmanagers of Customer Service Standardization, Delivery Operations, and Processing\nOperations to develop a joint action plan to enhance the signature controls for PS Form\n3575 by March 31, 2009. Once the plan is finalized and implemented, Address\nManagement will implement a process to review a statistical sampling of all PS Forms\n3575 each quarter and will report findings on any deviations from established policy and\nprocedures to the appropriate functional groups. Address Management will continue to\npursue ICOA as its long-term strategy to ensure the entries of COA orders are\nlegitimate and duly authorized by the customers. Additionally, on May 7, 2008,\nCustomer Service Standardization issued a standup talk to all CFS units reemphasizing\nthat the units should not finalize PS Forms 3575 without signatures. Management plans\nan additional joint standup talk for CFS Operations and Delivery by September 1, 2008,\nto reemphasize the initialing and dating requirements for PS Form 3546, Official\nChange/Correction to Mail Forwarding Change of Address Order, and PS Form 3575Z,\nEmployee Generated Change of Address.\n\nRegarding recommendation 3, management will make changes to the next release of\nthe CFPS software (version 4.0). The software change will reject the forms for an\nindividual or family COA nonbusiness move order from a business address prior to\nacceptance. The next release of the CFPS software has a tentative deployment date of\nMay 2009, contingent on other Postal Automated Redirection System dependencies.\n\nIn response to recommendations 4 and 5, the Postal Inspection Service plans to issue a\npolicy update by December 31, 2008, addressing investigative procedures for the\nreview of COA complaints and documentation, and requiring close coordination and\nfeedback to the NCSC on the status of their review of COA complaints. The updated\nPostal Inspection Service policy requires documentation in the Financial Crimes\n\n\n\n                                                     5\n\x0cIdentity Theft Potential in the Change of Address Process                   IS-AR-08-016\n\n\n\nDatabase (FCD) on customer and NCSC contacts, as well as quarterly monitoring to\nensure compliance with the policy. The Postal Inspection Service will communicate with\nNCSC and provide semiannual updates on new schemes that may affect the COA\nprocess. The NCSC will also monitor and evaluate potentially fraudulent COA\ncomplaints in conjunction with the Postal Inspection Service. Management stated the\nNCSC has already modified its system to record the resolution of complaints as\nprovided by the Postal Inspection Service.\n\nFor recommendation 6, management will ensure that customers receive MVLs in a\ntimely manner. The response indicated that the NCSC took several significant actions\nto improve the timely delivery of MVLs. In February 2008, the NCSC implemented a\nchange to reduce dispatching lag time for MVLs, and in April 2008 expanded the\nprinting of MVLs from 5 to 6 days a week. Management indicated these changes\nresulted in an 18.7 percent improvement in the number of MVLs delivered within 5 days\nof the date the customer COA was entered. NCSC will continue implementing\nprocedures to ensure that they receive all COAs and will enhance management\noversight of the MVL program. To review management\xe2\x80\x99s comments in their entirety,\nclick here or go to Appendix C.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe U. S. Postal Service Office of Inspector General (OIG) considers management\xe2\x80\x99s\ncomments responsive to the recommendations, and their corrective actions should\nresolve the issues identified in the report.\n\nThe OIG considers recommendations 1, 2, 4, and 5 significant, and therefore requires\nOIG concurrence before closure. Consequently, the OIG requests written confirmation\nwhen corrective actions are completed. These recommendations should not be closed\nin the follow-up tracking system until the OIG provides written confirmation that the\nrecommendations can be closed.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Gary C. Rippie, Director,\nInformation Systems, or me at (703) 248-2100.\n\n   E-Signed by Tammy Whitcomb\n VERIFY authenticity with ApproveIt\n\n\n\n\nTammy L. Whitcomb\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\n\n\n                                                     6\n\x0cIdentity Theft Potential in the Change of Address Process   IS-AR-08-016\n\n\n\n\ncc: Ross Philo\n    George W. Wright\n    Delores J. Killette\n    Anthony M. Pajunas\n    Harold E. Stark\n    Alice M. VanGorder\n    James D. Wilson\n    Amy S. Rose\n    Lori M. Wigley\n    Annette P. Raney\n    James W. Kiser\n    Thomas M. Addams\n    John F. Bolger\n    Henry Herrera\n    Katherine S. Banks\n\n\n\n\n                                                     7\n\x0cIdentity Theft Potential in the Change of Address Process                                            IS-AR-08-016\n\n\n\n\n                           APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nIdentity theft is America\'s fastest growing crime. The Federal Trade Commission\ndefines identity theft as a fraud that is committed by using a person\xe2\x80\x99s identifying\ninformation without authority. This can occur when mail is diverted to another location\nby completing unauthorized COA orders. Over 40 million Americans change their\naddress annually, which creates a tremendous challenge for the Postal Service in\nmaintaining a high-quality repository of addresses. A person\xe2\x80\x99s identity is valuable and if\nsomeone steals it to commit fraudulent acts, it can affect every aspect of that person\xe2\x80\x99s\nlife, including their credit and ability to purchase a house or car or obtain a job or\nmedical care.\n\nThere are three processes for making a COA request:\n\n        \xe2\x80\xa2    Hard copy COA\n        \xe2\x80\xa2    ICOA\n        \xe2\x80\xa2    TCOA\n\n                                    Table 1: COA Orders FY 2007\n\n                                    Method              No. Orders       Percentage\n                             Hard Copy COA              41,832,042         86.7\n                             ICOA                        6,334,336         13.1\n                             TCOA                          101,628          0.2\n                             Total Orders               48,268,006        100.0\n\nThe ICOA and TCOA methods require a $1.00 fee charged to the customer initiating the\nCOA request. This fee causes a transaction to occur which is used for customer\nidentity verification purposes. However, the hard copy COA process does not verify the\ncustomer\xe2\x80\x99s identity. The Postal Service processed ICOA orders using eCap to process\ncredit card payments through First Data Merchant Services8 until January 2008. Credit\ncard transactions are currently processed through Bank of America Merchant Services.\nThe Postal Service contracts with Convergys9 to handle TCOA orders using the PayPal\npayment processor. Both payment processor systems interact with the Address\nVerification System to ensure the ZIP Code and street number in the address provided\nmatches the billing address on file with the credit card issuer.\n\n8\n  Since December 2004, the Postal Service used First Data Merchant Services to process credit card transactions for\ncustomers submitting ICOAs using moversguide.com.\n9\n  Convergys provides services to the Postal Service by allowing customers to change their address over the\ntelephone with or without speaking to a TCOA representative.\n\n\n\n\n                                                         8\n\x0cIdentity Theft Potential in the Change of Address Process                             IS-AR-08-016\n\n\n\n\nOnce the Postal Service processes COAs, it mails a MVL and then a Confirmation\nNotification Letter (CNL) to the customer\xe2\x80\x99s old and new address, respectively. Both\nletters are designed to notify customers of the COA filing and provide contact\ninstructions if the information is incorrect.\n\nProcessing a COA involves the Postal Service business units outlined below.\n\n Postal Service Office                                 COA Function\nCustomer Service                Manages 115 CFS sites nationwide and oversees the\nOperations                      processing of all COA orders.\nCorporate Customer              Oversees the contract with Convergys for processing\nContact                         TCOA orders.\nNetwork Operations              Responsible for domestic mail processing and\n                                transportation networks, which includes the REC accepting\n                                and processing the COA images received from the CFPS.\nDelivery Operations             Responsible for delivering MVLs and CNLs within standard\n                                delivery time.\nNCSC                            The NCSC manages COA business operations, which\n                                include hosting data transfers between CFS sites and the\n                                NCSC; overseeing contract operations for MVLs and CNLs;\n                                and managing the alliance with Imagitas, Inc., which\n                                handles the ICOA orders. In addition, they are responsible\n                                for receiving and reviewing COA complaints and forwarding\n                                potential fraudulent complaints to the Postal Inspection\n                                Service.\nPostal Inspection Service       Receives information from the NCSC on potentially\n                                fraudulent COA orders and complaints for further review\n                                and investigation.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur objective was to determine if COA controls ensure that address change requests\nare properly authorized and validated to minimize potential identity theft. To accomplish\nour objective, we identified risks associated with the three COA methods \xe2\x80\x93 ICOA,\nTCOA, and hard copy COA. We identified and evaluated controls in place for each of\nthe three COA methods and determined if controls were being consistently applied as\nfollows:\n\n\xe2\x80\xa2   Authorization \xe2\x80\x93 Determine if the customer authorized the change.\n\n\xe2\x80\xa2   Accuracy \xe2\x80\x93 Determine if the controls in place ensure COA order data are accurate.\n\n\xe2\x80\xa2   Completeness \xe2\x80\x93 Determine if controls in place ensure COAs are sufficiently\n    complete.\n\n\n\n\n                                                     9\n\x0cIdentity Theft Potential in the Change of Address Process                                             IS-AR-08-016\n\n\n\n\xe2\x80\xa2    Segregation of Duties \xe2\x80\x93 Determine if controls are in place to prevent inappropriate\n     processing of COAs.\n\n\xe2\x80\xa2    Timeliness \xe2\x80\x93 Determine if employees process MVLs and CNLs timely.\n\n\xe2\x80\xa2    Monitoring/Evaluation \xe2\x80\x93 Determine if management adequately evaluates complaints\n     on an ongoing basis to detect potential identity theft.\n\nWe reviewed documentation, policies and procedures, and interviewed key officials at\nthe NCSC, Customer Service Operations, the Postal Inspection Service, Consumer\nAffairs, Corporate Customer Contact, Delivery Operations, Engineering, and the OIG\nHotline to determine their roles in the COA process. In addition, we selected a\njudgmental sample and visited 10 CFS sites10 in seven Postal Service areas11 to review\nCOA documents and scanned images in the COA Reporting System to identify potential\ncontrol weaknesses that may lead to identity theft.\n\nTo review the TCOA process, we visited the Corporate Customer Call Center operated\nby Convergys in Jacksonville, North Carolina. To determine if controls were operating\nas intended, we conducted three tests xxxxx x xxxxxxx xxxxxx xxxx xx xxxxxx xxxx xxx\nxxxx xxxxxx. xxx xxxxxxx xxxxxxx xxxx xxx xxx xxxxxxxxxx xxxx x xxxxxxxxx xxxx xx\nxxx xx xxx xxxxxxx. We also conducted a test to submit an additional ICOA order using\na credit card that belonged to an individual not associated with the customer\xe2\x80\x99s name\nand old or new address.\n\nWe visited the NCSC to observe the MVL process. To determine the number of days\nfor processing the MVL, we obtained 78,390 MVL data records for the period April 8\nthrough 13, 2008. Finally, we reviewed 139 complaints about potentially fraudulent\nCOAs for the period of October 6, 2006, through December 31, 2007, that the NCSC\nforwarded to the Postal Inspection Service to determine if complaints are adequately\nevaluated on an ongoing basis. We interviewed employees of the NCSC, the Postal\nInspection Service, Consumer Affairs, Corporate Customer Contact, and the OIG\nHotline to determine how they handle incoming COA complaints.\n\nWe conducted this performance audit from January through August 2008 in accordance\nwith generally accepted government auditing standards and included such tests of\ninternal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective. We assessed the reliability of\n\n10\n   We conducted our audit work at CFS sites in Greensboro and Raleigh, North Carolina; Louisville, Kentucky; Atlanta\nand Marietta, Georgia; Latham, New York; Indianapolis, Indiana; Santa Ana, California; Phoenix, Arizona; and\nMemphis, Tennessee.\n11\n   These CFS sites are in the following Postal Service areas: Capital Metro, Eastern, Southeast, Northeast, Great\nLakes, Pacific, and Western.\n\n\n\n                                                        10\n\x0cIdentity Theft Potential in the Change of Address Process                     IS-AR-08-016\n\n\n\ncomputer-generated data supporting the audit finding and concluded the data was\nsufficiently reliable to meet our audit objective. We discussed our observations and\nconclusions with management officials during the audit and on July 25, 2008, and\nincluded their comments where appropriate.\n\n\n\n\n                                                     11\n\x0cIdentity Theft Potential in the Change of Address Process                                 IS-AR-08-016\n\n\n\n\nPRIOR AUDIT COVERAGE\n\n\n\n                                  Report         Final Report       Monetary\n         Report Title             Number             Date            Impact          Report Results\n     Management Advisory        OE-MA-03-005     May 21, 2003             None   The Postal Service\xe2\x80\x99s\n     \xe2\x80\x93 Postal Service\xe2\x80\x99s                                                           process for validating COA\n     Procedures to Validate                                                       orders was adequate. The\n     Change of Address                                                            MVL helped detect when\n     Orders                                                                       fraudulent orders were\n                                                                                  processed. However, if the\n                                                                                  Postal Service considers\n                                                                                  accepting COA requests by\n                                                                                  telephone,12 it might want\n                                                                                  to explore controls to\n                                                                                  prevent the acceptance of\n                                                                                  fraudulent COA orders.\n     Change of Address \xe2\x80\x93        IS-AR-06-013     July 17, 2006            None   Existing application controls\n     Application Control                                                         are sufficient to ensure the\n     Review                                                                      overall integrity of the data\n                                                                                 within the COA system.\n                                                                                 However, improvements\n                                                                                 could be made primarily in\n                                                                                 the areas of access\n                                                                                 controls, segregation of\n                                                                                 duties, protection of\n                                                                                 sensitive information,\n                                                                                 information security\n                                                                                 assurance documentation,\n                                                                                 and audit logging.\n     Identity Theft Potential   IS-AR-08-006     March 6, 2008       $137,428    The Postal Service should\n     in Postal Service                                                           enhance controls\n     Information Systems                                                         surrounding the protection\n                                                                                 of sensitive and personally\n                                                                                 identifiable information in\n                                                                                 the systems we reviewed.\n                                                                                 Specifically, management\n                                                                                 needs to make\n                                                                                 improvements in the areas\n                                                                                 of user access, date\n                                                                                 protection, and the\n                                                                                 collection and use of\n                                                                                 personally identifiable data\n                                                                                 on forms. Also, the Postal\n                                                                                 Service should discontinue\n                                                                                 one of its employment\n                                                                                 verification systems.\n\n\n\n12\n     This 2003 audit was conducted prior to the implementation of TCOA.\n\n\n\n                                                     12\n\x0cIdentity Theft Potential in the Change of Address Process                     IS-AR-08-016\n\n\n\n                              APPENDIX B: DETAILED ANALYSIS\n\nAuthentication of Internet and Telephone Change of Address Orders\n\nXxxxxxxxx xxx xxxx xxxx xxx xxxx xxxxxxxx xxxxx x xxxxxxx xxxxxx xxxx,\nxxxxxxxxxxxxx xxxxxxxxxxxxx xxx xxxxxxx xxxxxxxxxxxx xxxxxxxx xxxxxxxx, xxx\nxxxxxxxxxx xxx xxx xxxxxx xxx xxxx xxx xxxx xxxxxxxxxxxx xx xxxxxxxx xxx xxx xx\nxxxxxxxxx xxxxxxx xxxxxx xxxxx. xxxxxxxxxxx xxx xxxxxxxxxx xx xxxxxxxxx xxxxxxx\nxxxxxx xxxxx xxxx xxxxxxxxx xxxxxx xxxx xxx xxxx xxxxxx xxxxx xxxxxx xxxx\nxxxxxxxxxx xxxxxxxxxxx xxxxxx xxx xxxxxx. xxxx xxxx xxxxxxx xxxxxx xxx xxxx xx\nxxxxxxxxx xxxx xx xxxxxxxxxxxx xxxxxxxxx, xxxxx xxxxxxxxxxx xx xxxxxxxxx xxxxx,\nxxxxxxxx xxxxx, xxx xxxxxxxx xxxx xx xxxxxxxxx.\n\nThe Postal Service has a contract with Imagitas, Inc., for providing online services to\nprocess ICOAs and a draft Requirements and Analysis Specification for Postal Service\nCOA Phase 3 with Convergys to process TCOAs. The NCSC is responsible for ICOA\nand TCOA business rules and both methods charge an identity verification fee of $1.\nThe Postal Service uses this fee to validate if the customer\xe2\x80\x99s street number and ZIP\nCode in the address provided matches the billing address on file with the credit card\nissuer.\n\nxx xxxxxxxxx xxxxx xxxxx x xxxxxxx xxxxxx xxxx xx xxxxxx xxxx xxx xxxx xxxxxx. xxxx\nxxxxx xxx xxxxxxx xxxxxx xxxx, xxx xxxxxx xxx xxx xxxxxxx xxx xxxxxxxx xx xxxxxxxx\nxxxxx xxx xxxxxxx, xxx xxxxxxx, xx xxx xxxxx xxxxxxxx xxxxxxxxxxxx xxxxxxxxxxx. xxx\nxxxxxx xxxxxxxxxx xxxxxxxx xxx xxx xxxxxx xxx xxxx xxx xxxx xxxx xxxx xx xxxxxxxxx\nxx xxx xxxx.\n\nWe also conducted tests to submit ICOA orders using credit cards that belonged to\nindividuals not associated with the customer\xe2\x80\x99s name and old or new addresses. The\nsystem was unable to verify the customer\xe2\x80\x99s identity with the information provided and\nthe COA orders were properly rejected.\n\nAuthentication of Hard Copy Change of Address Orders\n\nAuthorization and validation controls surrounding the hard copy COA process do not\nalways prevent the acceptance and processing of COA requests which may not be\nlegitimate and authorized by the owner of the address. The Postal Service faces\nchallenges to ensure a proper balance between providing timely customer service and\nassuring proper customer authorization for the hard copy COA process.\n\n\n\n\n                                                     13\n\x0cIdentity Theft Potential in the Change of Address Process                                           IS-AR-08-016\n\n\n\nOur review of 217 COA orders (PS Forms 357513) from 10 CFS sites showed:\n\n\xe2\x80\xa2    Twenty-two COA orders (10 percent) without customer signatures or with lines or\n     marks in the signature box.\n\xe2\x80\xa2    Twenty-four COA orders (11 percent) where the customer name and signature did\n     not match.\n\xe2\x80\xa2    Five COA orders (2 percent) with the Postal Service employee\xe2\x80\x99s signature or initials\n     in the customer\xe2\x80\x99s signature box.\n\nThe Postal Service often receives COA orders in the mail for processing. Some forms\ndo not have signatures and others contain invalid lines or marks in the signature box.\nCFS site employees normally review PS Forms 3575 prior to scanning.\n\nCustomers\xe2\x80\x99 failure to sign (authorize) PS Forms 3575 is the most common error and\nCFS employees should reject forms without customer signatures and return them to\ndelivery units.14 If not detected before scanning, REC sites also should reject these\norders and return them to the delivery units. In addition, any person who uses a\nfictitious, false, or assumed title, name, or address, or name other than his own proper\nname, shall be fined under Title 18 or imprisoned not more than 5 years, or both.\n\nThe Postal Service has determined that ICOA is the most efficient way for customers to\nfile a COA request. Therefore, the NCSC has planned the "Behind the Counter\xe2\x80\x9d pilot\nproject, which will increase the use of the ICOA method. This will be done by replacing\nall PS Forms 3575 at the counter with ICOA cards. The Postal Service is conducting\nthis pilot project from June 16 to August 31, 2008, at 597 Post Offices in the Denver,\nColorado; Minneapolis, Minnesota; and Tampa, Florida, service areas and plans to\nevaluate the results.\n\nEmployee Override of System Warnings\n\nCFS employees could override the CFPS warning notification message when manually\nprocessing individual COA non-business move orders from a business address. When\nCFS employees manually enter the business address, a screen warning appears\nindicating they will not be able to complete the record. Procedures state employees\nshould reject address changes for non-business moves from business addresses.\nHowever, management issued a bulletin to instruct employees to override the system\nwarning. Also, policy15 states individuals should not have assigned duties that cause a\nconflict of interest or present an undetectable opportunity for malicious wrongdoing,\nfraud, or collusion.\n13\n   PS Form 3575 is a hard copy COA order.\n14\n   Handbook PO-250, Consumer Answer Book, Chapter 4, Section 4-4; CFPS Scanner Site Operations Training\nCourse Operator/Supervisor Participant Handbook; and CFS Keying Rules-Table B-2, Name and Data Information\nand Table C-1, Reject Reasons-Form Not Signed; U.S.C., Title 18, Part 1, Chapter 63, Section 1342 (Fictitious Name\nor Address).\n15\n   Handbook AS-805, Information Security, March 2002, updated with Postal Bulletin revisions through November 23,\n2006, Section 6-3.1 Separation of Duties and Responsibilities.\n\n\n\n                                                       14\n\x0cIdentity Theft Potential in the Change of Address Process                                              IS-AR-08-016\n\n\n\nContinuous Monitoring and Evaluation of Change of Address Complaints\n\nThe Postal Inspection Service was not regularly monitoring, evaluating, and notifying\nthe NCSC and customers regarding the status and resolution of potentially fraudulent\nCOA complaints, because it had no policies or procedures for doing so. Addressing\nCOA complaints would contribute to the protection of the Postal Service\xe2\x80\x99s brand, its\ncommitment to protect customer information, and its efforts to combat identity theft. We\nwill report this non-monetary impact for goodwill/branding in our Semiannual Report to\nCongress.\n\nThe NCSC has a process for evaluating COA complaints. Complaints identified as\npotentially fraudulent are forwarded to the Postal Inspection Service for further review,\ninvestigation, and resolution. We reviewed 139 potentially fraudulent COA complaints\nthe NCSC referred to the Postal Inspection Service. These consisted of only hard copy,\nICOA, and White Fence16 complaints, as there were no TCOA complaints. As indicated\nin the table below, only 18 (13 percent) were assigned investigation case numbers,17\nwhile 36 (26 percent) were assigned FCD18 numbers.\n\n                   Table 2: Complaints Assigned a Case or FCD Number\n                             by the Postal Inspection Service\n\n                                                         Case                 FCD\n                                          Total        Numbers     Case     Numbers      FCD\n                       COA Type         Complaints     Assigned     %       Assigned      %\n                       Hard Copy            99            14         14        21          21\n                       ICOA                 29             2          7        11          38\n                       White Fence          11             2         18         4          36\n                       Total               139            18         13        36          26\n\nThe potentially fraudulent COA complaints are for the period October 6, 2006, to\nDecember 31, 2007, with reported monetary impact totaling $468,212. Customers\nreported loss of identity, stolen checks, and the establishment of auto loans, credit\ncards, and, in at least one instance, a mortgage, in their names. Currently the Postal\nInspection Service selectively reviews complaints based on ongoing investigations and\ncategorization of cases. Improvements are needed in monitoring, evaluating, and\nnotifying the NCSC and customers regarding the status and resolution of this type of\ncomplaint.\n\nThe Postal Inspection Service and the NCSC are aware of the issues surrounding COA\ncomplaints and are evaluating solutions to improve the COA complaint and resolution\n16\n   White Fence is a third party company providing free COA services online to Postal Service customers.\n17\n   Management assigns case numbers if COA complaints warrant further investigation by the Postal Inspection\nService.\n18\n   The FCD is a web-based investigative application the Postal Service uses to capture mail theft and identity theft\ncomplaints. This system is available to all Postal Service inspectors, however, not all potentially fraudulent COA\ncomplaints the NCSC forwarded to the Postal Inspection Service are placed in the FCD database and assigned FCD\nnumbers.\n\n\n\n                                                         15\n\x0cIdentity Theft Potential in the Change of Address Process                                  IS-AR-08-016\n\n\n\nprocess. Also, the NCSC is in the process of developing the COA Watch Initiative, a\ntrend analysis system designed to prevent the use of Postal Service COA methods for\nmalicious purposes.\n\nProcessing Move Validation Letters in Response to Change of Address Orders\n\nGenerally, we found the Postal Service provides MVLs to customers in a timely manner.\nHowever, we found 230 occurrences where the agency processed MVLs outside the\nestablished timeframe19 of 3 to 10 days, out of 78,389 COA requests filed by customers\nbetween April 8 and 13, 2008. Our analysis indicates the average number of days to\nprocess MVLs ranged from .20 to 1.39.\n\nWe analyzed the MVL data for each of the 10 CFS sites to determine the anomalies by\nidentifying the range of processing days. We found occurrences where the longest MVL\nprocessing time ranged from 18 to 98 days. Postal Service\xe2\x80\x99s MVL processing time,\nFedEx\xe2\x80\x99s delivery schedule, COA data losses, and system processing issues at CFS\nsites and RECs contributed to the delays. Although the 230 exceptions represent a\nsmall percentage of the total processed, providing MVLs to customers in a timely\nmanner decreases the likelihood of false or fraudulent COAs contributing to identity\ntheft.\n\n\n\n\n19\n     Handbook PO-250, Consumer Answer Book, Chapter 4, Section 4-3, Confirmation Letter.\n\n\n\n                                                        16\n\x0cIdentity Theft Potential in the Change of Address Process   IS-AR-08-016\n\n\n\n                        APPENDIX C: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                                     17\n\x0cIdentity Theft Potential in the Change of Address Process   IS-AR-08-016\n\n\n\n\n                                                     18\n\x0cIdentity Theft Potential in the Change of Address Process   IS-AR-08-016\n\n\n\n\n                                                     19\n\x0cIdentity Theft Potential in the Change of Address Process   IS-AR-08-016\n\n\n\n\n                                                     20\n\x0cIdentity Theft Potential in the Change of Address Process   IS-AR-08-016\n\n\n\n\n                                                     21\n\x0cIdentity Theft Potential in the Change of Address Process   IS-AR-08-016\n\n\n\n\n                                                     22\n\x0c'